Created
April 29, 2016 14:44
-
-
Save gburd/6f555a7b1197260d8472e24a35b7752c to your computer and use it in GitHub Desktop.
sysctl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/sysctl.conf - Configuration file for setting system variables | |
# See /etc/sysctl.d/ for additional system variables. | |
# See sysctl.conf (5) for information. | |
# | |
#kernel.domainname = example.com | |
# Uncomment the following to stop low-level messages on console | |
#kernel.printk = 3 4 1 3 | |
kernel.panic = 10 | |
################################################################### | |
# IPv4 networking start | |
################################################################### | |
# Enable source validation by reversed path, as specified in RFC1812, which | |
# turn on Source Address Verification in all interfaces to prevent some | |
# spoofing attacks. | |
net.ipv4.conf.default.rp_filter = 1 | |
net.ipv4.conf.all.rp_filter = 1 | |
# Enable TCP/IP SYN cookies, see http://lwn.net/Articles/277146/ | |
# Note: This may impact IPv6 TCP sessions too. | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.tcp_synack_retries = 2 | |
# Packet forwarding for IPv4 | |
net.ipv4.ip_forward = 0 | |
# RFC 1337, TIME-WAIT Assassination Hazards in TCP, a fix written in 1992 | |
# for some theoretically-possible failure modes for TCP connections. To this | |
# day this RFC still has people confused if it negatively impacts performance | |
# or not or is supported by any decent router. Murphy's Law is that the only | |
# router that it would even have trouble with, is most likely your own. | |
net.ipv4.tcp_rfc1337 = 1 | |
# TCP window scaling tries to avoid saturating the network adapter with | |
# incoming packets. | |
net.ipv4.tcp_window_scaling = 1 | |
# If enabled, assume that no receipt of a window-scaling option means that the | |
# remote TCP is broken and treats the window as a signed quantity. If | |
# disabled, assume that the remote TCP is not broken even if we do not receive | |
# a window scaling option from it. | |
net.ipv4.tcp_workaround_signed_windows = 1 | |
# TCP SACK and FACK refer to options found in RFC 2018 and are also documented | |
# back to Linux Kernel 2.6.17 with an experimental "TCP-Peach" set of | |
# functions. These are meant to get you your data without excessive losses. | |
net.ipv4.tcp_sack = 1 | |
net.ipv4.tcp_fack = 1 | |
# The latency setting is 1 if you prefer more packets vs bandwidth, or 0 if you | |
# prefer bandwidth. More packets are ideal for things like Remote Desktop and | |
# VOIP: less for bulk downloading. | |
net.ipv4.tcp_low_latency = 1 | |
# I found RFC 2923, which is a good review of PMTU. IPv6 uses PMTU by default | |
# to avoid segmenting packets at the router level, but its optional for | |
# IPv4. PMTU is meant to inform routers of the best packet sizes to use between | |
# links, but its a common admin practice to block ICMP ports that allow | |
# pinging, thus breaking this mechanism. Linux tries to use it, and so do I: if | |
# you have problems, you have a problem router, and can change the "no" setting | |
# to 1. "MTU probing" is also a part of this: 1 means try, and 0 means don't. | |
net.ipv4.ip_no_pmtu_disc = 0 | |
net.ipv4.tcp_mtu_probing = 1 | |
# FRTO is a mechanism in newer Linux kernels to optimize for wireless hosts: | |
# use it if you have them; delete the setting, or set to 0, if you don't. | |
#net.ipv4.tcp_frto = 2 | |
#net.ipv4.tcp_frto_response = 2 | |
# TCP Congestion Controls | |
# | |
# Windows Vista and newer gained Compound TCP as an alternative to standard TCP | |
# Reno. Linux Kernel 2.6 has had numerous mechanisms available to it for some | |
# time: 2.6.19 defaulted to CUBIC which was supposed to work well over "long | |
# links." My two personal favorites: TCP Westwood + and TCP Illinois. But you | |
# can dig in, look at different research papers online, and see what works best | |
# for your environment. | |
# | |
# 1. Make sure your kernel has the correct module: in my example, I use TCP | |
# Illinois, which has been compiled with any standard Ubuntu kernel since 2008, | |
# and is found as tcp_illinois. 2. Add said kernel module to /etc/modules | |
# 3. Change /etc/sysctl.conf to use the non "tcp_" part of your selection. | |
net.ipv4.tcp_congestion_control = illinois | |
# Do not accept ICMP redirects (prevent MITM attacks) | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.all.secure_redirects = 1 | |
# Do not send ICMP redirects (we are not a router) | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
# Do not accept IP source route (SRR) packets (we are not a router) | |
net.ipv4.conf.all.accept_source_route = 0 | |
# Log Martian Packets | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.default.secure_redirects = 0 | |
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
net.ipv4.tcp_tw_reuse = 1 | |
################################################################### | |
# IPv6 networking start | |
################################################################### | |
# Disable IPv6 | |
#net.ipv6.conf.all.disable_ipv6 = 1 | |
#net.ipv6.conf.default.disable_ipv6 = 1 | |
#net.ipv6.conf.lo.disable_ipv6 = 1 | |
# Do not accept ICMP redirects (prevent MITM attacks) | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv6.conf.all.secure_redirects = 1 | |
# Uncomment the next line to enable packet forwarding for IPv6. Enabling this | |
# option disables Stateless Address Autoconfiguration based on Router | |
# Advertisements for this host. | |
#net.ipv6.conf.all.forwarding = 0 | |
# Do not accept IP source route (SRR) packets (we are not a router) | |
net.ipv6.conf.all.accept_source_route = 0 | |
# Number of Router Solicitations to send until assuming no routers are present. | |
# This is host and not router | |
net.ipv6.conf.default.router_solicitations = 0 | |
# Accept Router Preference in RA? | |
net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
# Learn Prefix Information in Router Advertisement | |
net.ipv6.conf.default.accept_ra_pinfo = 0 | |
# Setting controls whether the system will accept Hop Limit settings from a | |
# router advertisement | |
net.ipv6.conf.default.accept_ra_defrtr = 0 | |
# Router advertisements can cause the system to assign a global unicast address | |
# to an interface | |
net.ipv6.conf.default.autoconf = 0 | |
# How many neighbor solicitations to send out per address? | |
net.ipv6.conf.default.dad_transmits = 0 | |
# How many global unicast IPv6 addresses can be assigned to each interface? | |
net.ipv6.conf.default.max_addresses = 1 | |
################################################################### | |
# Enable ExecShield protection | |
#kernel.exec-shield = 1 | |
kernel.randomize_va_space = 1 | |
# TCP and memory optimization increase TCP max buffer size setable using | |
# setsockopt() | |
net.ipv4.tcp_rmem = 4096 87380 8388608 | |
net.ipv4.tcp_wmem = 4096 87380 8388608 | |
# Increase Linux auto tuning TCP buffer limits | |
net.core.rmem_max = 8388608 | |
net.core.wmem_max = 8388608 | |
net.core.netdev_max_backlog = 5000 | |
net.ipv4.tcp_window_scaling = 1 | |
# Increase system file descriptor limit | |
fs.file-max = 65535 | |
# Allow for more PIDs | |
kernel.pid_max = 65536 | |
# Increase system IP port limits | |
net.ipv4.ip_local_port_range = 2000 65000 | |
vm.overcommit_memory = 1 | |
vm.zone_reclaim_mode = 0 | |
vm.max_map_count = 131072 | |
# Controls the System Request debugging functionality of the kernel | |
kernel.sysrq = 0 | |
# Controls whether core dumps will append the PID to the core filename | |
# Useful for debugging multi-threaded applications | |
kernel.core_uses_pid = 1 | |
# References: | |
# [1] http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/ | |
# [2] http://www.slashroot.in/linux-network-tcp-performance-tuning-sysctl | |
# [3] http://www.cyberciti.biz/faq/linux-tcp-tuning/ | |
# [4] http://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php | |
# [5] http://docs.datastax.com/en/cassandra/2.0/cassandra/install/installRecommendSettings.html | |
# [6] http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/proc.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment